导入表内注入代码（二）

核心提示： 35. PIMAGE_DOS_HEADER pimage_dos_header = new IMAGE_DOS_HEADER;36. PIMAGE_NT_HEADERS pimage_nt_headers = new IMAGE_NT_HEADERS;37.38. ReadProcessM

35. PIMAGE_DOS_HEADER pimage_dos_header = new IMAGE_DOS_HEADER;
36. PIMAGE_NT_HEADERS pimage_nt_headers = new IMAGE_NT_HEADERS;
37.
38. ReadProcessMemory( hProcess,
39. (LPCVOID)dwImageBase,
40. pimage_dos_header,
41. sizeof(IMAGE_DOS_HEADER),
42. &dwBytes);
43. ReadProcessMemory( hProcess,
44. (LPCVOID)(dwImageBase+pimage_dos_header->e_lfanew),
45. pimage_nt_headers, sizeof(IMAGE_NT_HEADERS),
46. &dwBytes);
47.
48. PCHAR pMem = (PCHAR)GlobalAlloc(
49. GMEM_FIXED | GMEM_ZEROINIT,
50. pimage_nt_headers->OptionalHeader.SizeOfImage);
51.
52. ReadProcessMemory( hProcess,
53. (LPCVOID)(dwImageBase),
54. pMem,
55. pimage_nt_headers->OptionalHeader.SizeOfImage,
56. &dwBytes);57. 我们查看DLL名称和thunk值以找到我们的目标并重定向之。在这个例子中，DLL名称为Shell32.dll以及thunk是ShellAbout()的虚地址。

58. HMODULE hModule = LoadLibrary("Shell32.dll");
59. DWORD dwShellAbout= (DWORD)GetProcAddress(hModule, "ShellAboutW");
60.
61. DWORD dwRedirectMem = (DWORD)VirtualAllocEx(
62. hProcess,
63. NULL,
64. 0x01D000,
65. MEM_COMMIT,
66. PAGE_EXECUTE_READWRITE);
67.
68. RedirectAPI(pMem, dwShellAbout, dwRedirectMem);
69.
70. ...
71.
72. int RedirectAPI(PCHAR pMem, DWORD API_voffset, DWORD NEW_voffset)
73. {
74. PCHAR pThunk;
75. PCHAR pHintName;
76. DWORD dwAPIaddress;
77. PCHAR pDllName;
78. DWORD dwImportDirectory;
79.
80. DWORD dwAPI;
81.
82. PCHAR pImageBase = pMem;
83. //----------------------------------------
84. PIMAGE_IMPORT_DESCRIPTOR pimage_import_descriptor;
85. PIMAGE_THUNK_DATA pimage_thunk_data;
86. //----------------------------------------
87. PIMAGE_DOS_HEADER pimage_dos_header;
88. PIMAGE_NT_HEADERS pimage_nt_headers;
89. pimage_dos_header = PIMAGE_DOS_HEADER(pImageBase);
90. pimage_nt_headers = (PIMAGE_NT_HEADERS)(pImageBase+pimage_dos_header->e_lfanew);
91. //----------------------------------------
92. dwImportDirectory=pimage_nt_headers->OptionalHeader
93. .DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
94. if(dwImportDirectory==0)
95. {
96. return -1;
97. }
98. //----------------------------------------
99. pimage_import_descriptor=(PIMAGE_IMPORT_DESCRIPTOR)(pImageBase+dwImportDirectory);
100. //----------------------------------------
101. while(pimage_import_descriptor->Name!=0)
102. {
103. pThunk=pImageBase+pimage_import_descriptor->FirstThunk;
104. pHintName=pImageBase;
105. if(pimage_import_descriptor->OriginalFirstThunk!=0)
106. {
107. pHintName+=pimage_import_descriptor->OriginalFirstThunk;
108. }
109. else
110. {
111. pHintName+=pimage_import_descriptor->FirstThunk;
112. }
113. pDllName=pImageBase+pimage_import_descriptor->Name;
114.
115. StrUpper(pDllName);
116. if(strcmp(pDllName,"SHELL32.DLL")==0)
117. {
118. pimage_thunk_data=PIMAGE_THUNK_DATA(pHintName);
119. while(pimage_thunk_data->u1.AddressOfData!=0)
120. {
121. //----------------------------------------
122. memcpy(&dwAPI, pThunk, 4);
123. if(dwAPI==API_voffset)
124. {
125. memcpy(pThunk, &NEW_voffset, 4);
126. return 0;
127. }
128. //----------------------------------------
129. pThunk+=4;
130. pHintName+=4;
131. pimage_thunk_data++;
132. }
133. }
134. pimage_import_descriptor++;
135. }
136. //----------------------------------------
137. return -1;
138. }
139.140. 为了重定向而用VirtualProtectEx()创建了一个额外存储空间。我们将生成代码并将其写入新的备用空间（spare space）。